refresh token basing on user idle time

Is there anyway to find the user idle time basing on the usage of access token and then allow/deny refresh token? For ex: assume token expiry is: 30 secs.

Scenario 1: Allow refresh token, if the user performs a transaction at 29 sec and would like to continue beyond token expiry. i.e idle time < token expiry time.

Scenario 2: Deny refresh token, user logs in but didn't perform any transaction until 31 sec. i.e idle time >= token expiry time.

0 2 577
2 REPLIES 2

not sure if i understand your question correctly - lets find out what options you have to find user idle time - maybe that will help to implement your flow

User_Idle_Time - to know the user idle time, you will need to know the user_last_access_time and you need to be able to track it

You have 2 options

1. If you are tracking the 'last_accessed_time' based on access tokens - you can use this policy to do that

http://docs.apigee.com/api-services/reference/set-oauth-v2-info-policy

2. If you want to track this across access tokens - that is based on 'refresh_tokens' you could use KeyValueMap to manage it

<Key=refresh_token>:<Value:<last_access_time>

Based on your usecase, you could one of the approach

Now that you can derive 'idle_time' from this information - you can enforce any kind of conditions/rules you need based on this

@Mukunda, does option 1 works on an expired token? I don't think so. Option 2 will work but brings in additional maintenance activities. What is the approach on cleaning up the expired/unused tokens from KVM?